View online: https://www.drupal.org/sa-contrib-2018-055
Project: PHP Configuration [1] Version: 8.x-1.07.x-1.0 Date: 2018-August-08 Security risk: *Critical* 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Arbitrary PHP code execution
Description: This module enables you to add or overwrite PHP configuration on a drupal website.
The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig".
After updating the module, it's important to review the permissions of your website and if 'administer phpconfig' permission is given to a not fully trusted user role, we advise to revoke it.
Solution: Install the latest version:
* If you use the PHP Configuration module for Drupal 7.x, upgrade to PHP Configuration 7.x-1.1 * If you use the PHP Configuration module for Drupal 8.x, upgrade to PHP Configuration 8.x-1.1
Also see the PHP Configuration [3] project page.
Reported By: * Balazs Janos Tatar [4] Provisional security team member
Fixed By: * bappa.sarkar [5] The module maintainer
Coordinated By: * mpotter [6] of the Drupal Security Team
[1] https://www.drupal.org/project/phpconfig [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/phpconfig [4] https://www.drupal.org/u/tatarbj [5] https://www.drupal.org/user/262655 [6] https://www.drupal.org/u/mpotter